New SSL_ERROR_BAD_CERT_DOMAIN with home-made certificate

Hello there!
Few years ago, to connect to my router securely, I made my own Certificate Authority and certificate for router signed by it (LuCi, ssl and Firefox)
My actions were:

  1. Creating root CA key
openssl genrsa -out rootCA.key 2048
  1. Creating root CA certificate
openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt
  1. Creating router key
openssl genrsa -out router.key 2048
  1. Creating "Certificate Signing Request"
openssl req -new -key router.key -out router.csr
  1. Creating router certificate
openssl x509 -req -in router.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out router.crt -days 5000

And it was worked fine until now.
Firefox doesn't allow router certificate anymore. Error code is: SSL_ERROR_BAD_CERT_DOMAIN

Looks like something was changed (upgraded?) in security side. How to generate new certificate which will valid?

Google acme.sh

renew every 60 days?…

It's free, and it's not self signed.

Just cron it.

1 Like

Well, I didn't understand, what was really happen, but my reissuing of certificates with additional detailed info solved the problem. The next post is what I came to.

I've used openssl as a password generator

openssl rand -base64 16

and the Elliptic Curve Digital Signature Algorithm (ECDSA)

Creating local Certificate Authority

  1. Generate the private key to become a local Certificate Authority
openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out localCA.key.pem
  1. Generate the certificate for local Certificate Authority
openssl req -key localCA.key.pem -new -x509 -days 10000 -sha256 -config localCA.conf -out localCA.crt.pem

where the localCA.conf is:

[req]
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
prompt                  = no
string_mask             = utf8only

[req_distinguished_name]
C                       = ZZ
ST                      = YY
L                       = XX
O                       = LAN
CN                      = Local Certificate Authority

[v3_ca]
basicConstraints        = critical, CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, digitalSignature, keyCertSign, cRLSign

Creating CA-Signed Certificate for router

  1. Generate the private key for local site "router.lan"
openssl ecparam -genkey -name secp521r1 | openssl ec -aes256 -out router.key.pem
  1. Creating Certificate Signing Request (CSR)
openssl req -new -key router.key.pem -subj "/C=ZZ/ST=YY/L=XX/O=LAN/OU=Router/CN=router.lan" -out router.csr
  1. Creating an X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate. File router.ext is:
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
extendedKeyUsage        = critical, serverAuth
subjectAltName          = @alt_names

[alt_names]
DNS.1                   = router.lan
IP.1                    = 192.168.1.1
  1. Creating signed certificate: using our CSR, the CA private key, the CA certificate, and the .ext config file
openssl x509 -req -in router.csr -CA localCA.crt.pem -CAkey localCA.key.pem -CAcreateserial -days 10000 -sha256 -extfile router.ext -out router.crt

Note. If there's another sites in the LAN, which have to use certificates too, flags -CAcreateserial and -CAserial are mandatory.

Setting up router

  1. Unfortunatelly, uhttpd doesn't support password protected keys (yet?). So, to decrypt router.key.pem file (passphrase.txt file contains passphrase):
openssl ec -passin file:passphrase.txt -in router.key.pem -out router.key
  1. I didn't install any additional packages to router (OpenWrt 22.03.2). So, the used tools are ssh, scp and vi. Moving router.crt and router.key to router host (if the error "ash /usr/libexec/sftp-server not found scp connection closed" occurs use -O flag, see 'man scp')
scp router.crt root@192.168.1.1:/etc/ssl/router.crt
scp router.key root@192.168.1.1:/etc/ssl/router.key
  1. Setting up uhttpd to use new signed certificate.
ssh 192.168.1.1
vi /etc/config/uhttpd

In line with option cert set /etc/ssl/router.crt value, and in line with option key set /etc/ssl/router.key value. Also, to enable http -> https redirection set 1 value to option redirect_https. Then, restart uhttpd.

/etc/init.d/uhttpd restart
  1. Adding cert files to backup list. In LuCI, go to System -> Backup/Flash Firmware, Click Configuration tab, then add /etc/ssl/router.crt & /etc/ssl/router.key

Setting up browser

I use Firefox.
Open about:preferences#privacy
Certificates -> View Certificates -> Authorities -> Import
Select localCA.crt.pem and restart Firefox.
Now it will trust all certificates signed with local CA in LAN.

References:

https://wiki.gentoo.org/wiki/Certificates/Become_your_own_CA

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.